Putting Malware in the Picture

Spammers actively spread malware using fake notifications on behalf of various financial and banking institutions, booking and delivery services and other companies. The arsenal of tricks used by cybercriminals is constantly being updated. In particular, in recent years we have registered a number of English- and German-language mass mailings in which the attackers try to hide malware under photos and pictures.

In October, the attackers sent out fake notifications claiming to be from T-Mobile, a telecoms operator in Germany, which told users that they had received an MMS. To make the email look legitimate, the sender address contained the official company domain although the email itself was sent from a different address. The body of the email included a contact phone number for sender of the MMS and some general information related to sending and receiving multimedia messages.

The supposed photo named '23-10-2013 13_64_09.jpeg.exe' was not in the body of the email but in the attached archive '23-10-2013 43_69_10.zip'. The scammers used the popular JPEG image file format in the name of the malicious file in the hope that it would convince recipients that the archive did in fact contain the photo. However, alert users would notice that the file extension is really .exe. This executable file is detected by Kaspersky Lab as Backdoor.Win32.Androm. This bot program allows the fraudsters to remotely execute commands on the infected computer, for example, downloading and running other malware without the owner's knowledge.

In November, spammers used Instagram, the popular video and photo-sharing service to spread malicious emails. Fake notifications sent on behalf of this service informed users that their photos had been posted in Instagram. To view the image, recipients were asked to open a ZIP-archive which allegedly contained the graphic file 'Photo DIG9048599868.jpeg.exe'. This was in fact Trojan.Win32.Neurevt, a multifunctional bot which steals data stored in the browser (cookies and passwords), usernames and passwords entered on sites and also game codes. In addition, it is used to download and run the various programs on the victim computer as well as to create botnets for DDoS-attacks. One of the bot's specific features is an advanced functionality designed to counteract various security solutions. For example, it can block the launch of anti-virus software and Windows Update services, or prevent the user from visiting the web sites of antivirus companies.

In November, we registered yet another trick, but this time it was not trying to trade on the name of any reputable company or service. The emails in this malicious mass mailing imitated personal correspondence between friends exchanging private photos. The intriguing header of the message invited recipients to see photos of themselves or their boy/girlfriends. The body text contained emoticons and meaningless words. The sender addresses were generated automatically, although they contained people's names. As in other similar mass mailings, the email included an attached archive with the supposed photo, which was in fact an executable double extension file. Kaspersky Lab detects this file as Trojan-Downloader.Win32.Agent - a Trojan which installs a fake antivirus program on the victim computer. As a result, the infected machine constantly showed pop up notifications about the detected viruses. To remove them, the user had to buy the full version of a so-called antivirus solution. The file with the fake antivirus program is detected by us as Trojan-FakeAV.Win32.SmartFortress2012.ambh.

The malicious file in this archive has the extension .scr which is typical for Windows screen savers. Both .scr and .exe extensions refer to executable files and can be used by spammers to install malware.

One of the main goals of the attackers who spread malicious emails is to get access to the victim's computer. Spammers often exploit people's curiosity and carelessness to help them to do this. An infected computer is not only a source of valuable personal information, but can be also used to launch attacks on other Internet users or large organizations and companies. Your attentiveness and antivirus solutions could help to avoid potential problems in the future.